[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (USN-1917-1)

[Jamie Iles]

Synopsis: USN-1917-1 can now be patched using Ksplice
CVEs: CVE-2013-2852

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1917-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash on Wireless P2P device connection.

If a P2P wireless device is present and a new one gets connected,
the Kernel will crash because of a bad check of a network device
internals.


* Kernel crash when unregistering VLAN interfaces.

If a VLAN interface was registered after the AP, on unregistering
the system will crash because because it is not prepared to deal
with AP's being closed before to remove their VLANs.


* Kernel panic when GPU acceleration is disabled.

When GPU acceleration is disabled, the related data is freed, but a
subsequent cleanup call after this will cause a kernel panic.


* NULL pointer dereference in Ceph lingering requests.

The Ceph filesystem driver does not correctly release resources when processing
lingering requests leading to a NULL pointer dereference.


* Memory corruption in CephFS object storage client.

Incorrect locking in the Ceph distributed filesystem client can cause memory
corruption and kernel panic when requesting new OSD mappings.


* CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.

Format string vulnerability in the b43_request_firmware function
in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4
allows local users to gain privileges by leveraging root access and
including format string specifiers in an fwpostfix modprobe parameter,
leading to improper construction of an error message.


* Memory corruption when removing a notifier from CLK.

When removing a notifier from the list, the entry is not
being removed keeping an invalid reference that affects
subsequent registrations.


* Kernel crash on ip_tunnel due to garbage data on IPCB.

If the link failure routine is called and IPCB is not
cleared, it will lead to a Kernel crash due to the existence
of garbage data.


* Memory corruption in Bluetooth L2CAP MTU control.

An integer underflow and memory corruption can be triggered by reducing the MTU
of an L2CAP socket and then sending a large L2CAP packet.


* Kernel deadlock when removing a Frame Relay device.

Incorrect locking when removing a Frame Relay DLCI device can cause a deadlock
and kernel panic.


* Kernel panic when removing a Frame Relay device.

Using the DLCI ioctl to remove a Frame Relay device on a socket that is not a
Frame Relay device can cause an invalid memory access and kernel panic.


* Kernel perf monitoring not checking credentials for setuid processes.

The test to disable perf monitoring on setuid process for regular users,
is not correct, because the credentials for the new process are not
committed.


* Missing permissions checks on /dev/kmsg

Missing permissions checks on /dev/kmsg could allow an unprivileged user
to access the kernel log buffer.


* Kernel oops when using MSG_CMSG_COMPAT in socket interfaces.

>From user space is possible to use MSG_CMSG_COMPAT in the 'send'
and 'receive' socket family interfaces. This is not a standard
feature that when used from user space leads to a Kernel oops.


* NULL pointer dereference in SCTP socket destruction.

When a SCTP socket is destroyed, it can contains invalid references
as the routine can be invoked during the socket initialization.


* Kernel panic on team interface due to race condition in port removal.

When retrieving the port from a team interface, it might return a null
reference due to a race condition between the port removal and the
socket buffer transaction path leading to a Kernel Panic.


* NULL pointer dereference in Team port interface.

A race condition between port enabling and lookup could result in a
NULL pointer dereference.


* Memory leak on L2TP PPP header.

When adding a PPP header, it leaks two bytes of uninitialised memory
at the end of the socket buffer data buffer.


* Information leak in AF_PACKET getname() call.

The getname() syscall does not correctly sanitize memory when called on an
AF_PACKET socket causing the contents of kernel memory to be disclosed to
userspace.


* Kernel crash on IPv6 cork release.

When copying cork options on IPV6, the target memory space
for those is not zeroed, which could lead to a Kernel crash
as it could contain garbage when invoking the free routines.


* Race condition on Swap while waiting on discard I/O completion.

When reading the swap cache page it can get into a race condition
leading to a system deadlock.


* Race condition on Kernel list when removing waiters.

There is a race condition in the klist interface when removing
waiters leading to thread corruption to prior waiter.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.